HTTP Host header attack #4310
Comments
|
This issue is detected by Burp Scanner, which makes it difficult selling products based on Spring Security to security conscious customers. Are there any plans fixing this issue or is there any workaround? |
|
Some progress on this? issue is open since April... |
|
Just wander. Can I use code snippet below for getting server name? new java.net.URI(request.getRequestURL().toString()).getHost() |
|
What is the progress here? Could hardly believe action has not been taken for such security issue almost two years. |
|
FWIW SourceClear reports this as a vulnerability (https://www.sourceclear.com/vulnerability-database/security/incorrect-headers-handling/java/sid-20558) - any chance this could get patched up soon? |
|
Since the The application would need to set this value like so: void configure(WebSecurity web) {
StrictHttpFirewall firewall = new StrictHttpFirewall();
firewall.setAllowedHostnames(hostname -> hostname.equals("example.org"));
web
.httpFirewall(firewall);
}With this solution, @fraenku would this address the issue? |
rwinch
added
in: web
Introduce a new method `setAllowedHostnames` which perform the validation against untrusted hostnames. Fixes spring-projectsgh-4310
Introduce a new method `setAllowedHostnames` which perform the validation against untrusted hostnames. Fixes spring-projectsgh-4310
Introduce a new method `setAllowedHostnames` which perform the validation against untrusted hostnames. Fixes gh-4310
|
Does anyone know a use case where spring-security itself opens a vulnerability due to the Host header manipulation? Assuming my application code doesn't use UrlUtils for anything sensitive to attacks from the description, is it still dangerous to just use spring-security? |
rwinch
removed
the
status: ideal-for-contribution
This ticket doesn't describe any attacks. If anyone does know of one, I'd encourage that it be reported responsibly to security@pivotal.io, not here.
No piece of software is perfectly secure, @avodonosov, but there is quite a difference between that and describing a software library as "dangerous". Can you explain a bit more of what you mean here? |
|
@jzheaux , I mean is there a real vulnerability if I simply use spring-security functionality, without taking UrlUtils result myself and sending it somewhere. I just mean is it really exploitable, or it's just a general note that the Host is accessed by code, so it smells vulnerable, but no-one can exploit it. |
There are always insecure ways to use things, but the main principle here is to not use untrusted information in a security decision. This ticket was not about closing a reported vuln but instead about adding functionality that allows applications to whitelist the
It's hard to know the myriad circumstances under which others are calling this method, which is why understanding the security principle is more important. |
|
Thank you, @jzheaux |
@jzheaux I think what I'm still a bit confused about is this issue was linked against a Sourceclear vulnerability (https://www.sourceclear.com/vulnerability-database/security/incorrect-headers-handling/java/sid-20558) - it may be a red herring, but neither side is telling us how one relates to the other, or where the relation even comes from. I figured with this SourceClear vuln being reported, the Pivotal folks would already be aware? |
@gjoseph Sorry that I don't have an update for you on this yet, though I am in the process of reaching out to SourceClear to get more information from them. |
@jzheaux I observed that this issue : https://www.sourceclear.com/vulnerability-database/security/incorrect-headers-handling/java/sid-20558 not reported on 5.1.6.RELEASE of spring-security-web but 4.X series is vunerable. I am currently using 4.X version and can't switch to latest version at this point of time, Are you still in discussion to get details from SourceClear? |
Introduce a new method `setAllowedHostnames` which perform the validation against untrusted hostnames. Fixes spring-projectsgh-4310
Added JavaDoc to method, including @SInCE attribute Issue spring-projectsgh-4310
|
Yes, @peeyushsurolia, I am still awaiting their response. |
Introduce a new method `setAllowedHostnames` which perform the validation against untrusted hostnames. Fixes spring-projectsgh-4310
Added JavaDoc to method, including @SInCE attribute Issue spring-projectsgh-4310
Introduce a new method `setAllowedHostnames` which perform the validation against untrusted hostnames. Fixes spring-projectsgh-4310
Added JavaDoc to method, including @SInCE attribute Issue spring-projectsgh-4310
Introduce a new method `setAllowedHostnames` which perform the validation against untrusted hostnames. Fixes gh-4310
Introduce a new method `setAllowedHostnames` which perform the validation against untrusted hostnames. Fixes gh-4310
Introduce a new method `setAllowedHostnames` which perform the validation against untrusted hostnames. Fixes gh-4310
jzheaux
added
type: enhancement
spring-projects-issues
removed
for: backport-to-5.5.x
jzheaux
added
for: backport-to-5.5.x
spring-projects-issues
removed
the
for: backport-to-5.5.x
|
I noticed this has been patched now, shouldn't there be an advisory for this within https://tanzu.vmware.com/security? |
|
Thanks, @snoopysecurity, for double-checking. Given that these changes don't resolve any CVE, I'm not sure what we'd report there. |
The class
UrlUtilsis using the methodgetServerName()of theHttpServletRequest.This method indeed is not secure since it could be manipulated through the host-header
See also: http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html)
or: https://find-sec-bugs.github.io/bugs.htm#SERVLET_SERVER_NAME
See also: https://github.com/ESAPI/esapi-java-legacy/blob/develop/src/main/java/org/owasp/esapi/filters/SecurityWrapperRequest.java
for a list of potential request headers which are manipulable.
The text was updated successfully, but these errors were encountered: